Qantas pilots faced screens of warning messages after engine exploded

The four-engined Airbus A380 "superjumbo" is designed to be flown by computer with minimal human interference. But it was the expertise of the pilots that was needed when their 6" by 8" cockpit displays filled with alerts, and were replaced...

Tony Collins
November 22, 2010

Share

Twitter

Facebook

LinkedIn

Google Plus

The four-engined Airbus A380 "superjumbo" is designed to be flown by computer with minimal human interference.

But it was the expertise of the pilots that was needed when their 6" by 8" cockpit displays filled with alerts, and were replaced by new screens of warnings, after an engine exploded on a Qantas flight on 4 November 2010.

The pilots might have known that another Airbus, an Air France A330-200, crashed on 1 June last year, with the loss of 228 passengers, after multiple computer alerts.

The incident aboard Qantas Flight QF32 from Singapore to Sydney had a happy ending, and many lessons can be learnt from it. Airbus is likely to investigate how large numbers of alerts of diverse, simultaneous failures should be displayed to pilots.

"These conditions were a step beyond what the airplane was designed for, and it was the pilots who sorted it out so that it resulted in a safe landing," aviation safety consultant John Cox of St Petersburg, Florida said.

Richard Woodward, an A380 pilot with Qantas who is Vice President of the Australian and International Pilots Association, has explained to The Press Association what happened in the cockpit of the A380 when a failed engine sent debris into the wing, severing independent wiring and hydraulic cables.

Woodward has spoken to the pilots of Flight QF32 who faced the emergency. He said that the cockpit's LCD displays filled with messages, and were replaced by new "screenfuls of warnings".

54 computer warning messages

"The amount of failures is unprecedented," said Woodward. "There is probably a one in 100 million chance to have all that go wrong ...I don't think any crew in the world would have been trained to deal with the amount of different issues this crew faced."

There were 54 messages in all. They alerted the pilots to system failures or warned of impending failures.

One warned that a ram air turbine - a backup power supply - was about to deploy, although this didn't happen, Woodward said. The warning was worrying because the RAT system deploys only when main power systems are lost.

The ram air turbine is a small emergency fan that is powered by the speed of the plane and generates enough power for vital systems.

The engine explosion happened about six minutes after QF32 took off from Singapore Changi Airport heading for Sydney. The take-off seat-belt sign was still on when passengers heard two loud bangs.

Fire erupted from the ruptured Rolls-Royce Trent 900 engine as part of it disintegrated and penetrated the casing and wing.

A passenger filmed a hole in the wing as one of the pilots made an announcement in a reassuring voice, as if describing the landscape they were flying over. He said the pilots needed to complete a check list [in the light of the on-screen warning messages].

The pilot told the passengers of QF32 shortly after the explosion:

“We do apologise. As I am sure you are aware we have a technical issue with our number two engine. We have dealt with this situation but the aircraft is secure at this stage. We are going to hold for some time as we lighten our load by dumping some fuel and a number of check lists we have to perform.

“As I am sure you are aware we are not proceeding to Sydney at this stage. We are making a left-turn now to track back towards Singapore. As we progress with this I will keep you informed. At this stage everything is secure; the aircraft is flying safely. We will get back to you very shortly with further information. Thank you for your patience. “

The pilots landed the plane safely in Singapore, with 433 passengers and 26 crew on board.

Luck played a part

Luck played a part in the safety of Flight QF32 as well as the expertise of the pilots. There happened to be five experienced pilots, including three captains, aboard the plane. One captain was giving the flight's captain, Richard de Crespigny, an annual check of piloting skills.

The captain doing the evaluation was himself being evaluated by a third captain. There were also first and second officers, who were part of the normal three-pilot team.

De Crespigny concentrated on flying the plane, while the others dealt with the computer alarms and made announcements to passengers, some of whom were seeing flames streaming from the engine.

Pilots spent 50 minutes clearing computer warnings

Working flat out, it took 50 minutes for the pilots work through all of the computer messages, said The Press Association.

Airbus has confirmed that although the aircraft was only minutes into the flight when the incident happened, it was one hour and 40 minutes before QF32 landed.

When pilots receive safety warnings, they are supposed to check the airline's operating manual and implement specific procedures. But with so many warnings, the Qantas pilots sorted through and prioritised the most serious first.

It's likely that for some of the problems there were no procedures because no airline anticipates so many things going wrong at once, said John Goglia, a former member of the National Transportation Safety Board.

The A380 cockpit has eight 6" by 8" LCD
displays, all of which are physically identical and interchangeable, comprising
two primary fight displays, two for navigation, one for engine parameter, one
for systems, and two for multi-functions.

Th

ey include Qwerty keyboards and trackballs
which interface with a graphical "point-and-click" display navigation
system.

The pilots of QF32 received alerts on ECAM [Electronic Centralised Aircraft Monitor] displays which are designed to help pilots deal with emergencies.

If they give too much information after an incident there is a danger pilots may spend their time dealing with the messages rather than flying the plane.

The ECAM comprises a series of systems. It displays failures by importance ranging from level 1 failures to level 3. If there are simultaneous failures the most critical failure is displayed first.

"Systems damage" on the A380 - Airbus statement

Airbus said that when the A380 was certified it had to show that the aircraft would withstand one single high-energy fragment. But after the engine explosion on QF32 there were "three different high-energy fragments, resulting in some structural and systems damage, with associated ECAM warnings".

The pilots controlled the A380's other three engines manually until the aircraft stopped.

Engine pieces sliced wiring

Engine pieces sliced electric cables and hydraulic lines in the wing.

The wing's forward spar - a beam that attaches it to the plane - was damaged as well. The wing's two fuel tanks were punctured. Woodward said that as fuel leaked out, a growing imbalance was created between the left and right sides of the plane.

The electrical power problems prevented the pilots from pumping fuel forward from tanks in the tail. The plane became tail heavy.

That may have posed the greatest risk, safety experts said. If the weight imbalance had become too extreme the aircraft could have lost lift, putting it in danger of stalling.

Part of Airbus 380 fly-by-wire software went into "Alternate law"

The slats on the Airbus A380 became jammed. This meant that some of the aircraft's flight control systems switched to so-called "Alternate law" - a set of software-controlled rules that govern the systems over if several systems stop working.

The landing gear doors were inoperable. The pilots used gravity to lower the gear.

Brake temperatures were said to have reached over 1,650 degrees Fahrenheit during the landing, causing several flat tyres. If fuel leaking from the damaged wing had hit the brakes, it could have caused a fire. The pilots allowed the plane to roll almost to the end of the runway, close to fire engines that put foam on the brakes and undercarriage.

Electrical problems

Woodward also said that:

- When the engine failed it caught fire the fire suppression system was difficult to deploy.

- An electrical bus on the left wing failed. The plane was designed so that a second bus on the same wing or the two buses on the opposite wing would pick up the load. That didn't happen.

Airbus emerges from incident with credit

Woodward praised the plane, saying it was a testament to its strength that it was able to continue to fly relatively well despite all the problems.

"I see this as a testimony to the strength and redundancy of the aeroplane to survive such bad damage and fly quite nicely apparently and come back and land," he said.

"It is absolutely a testimony to the aircraft and its structures."

He said that reconsideration will probably be given to the design and location electrical wiring in the wings.

Can manufacturers design for debris flying everywhere?

During testing manufacturers have to show that their aircraft can cope with failures such as the jamming of landing gear doors and multiple engine failure. But it is difficult to simulate the sort of diverse failures that can happen when debris slices through parts of an aircraft.

Goglia said: "The circumstances around this accident will certainly cause the regulatory authorities to take a long and hard look at a number of certification issues."

Woodward said: "What we have got to ensure is that systems are separated so that no single point of failure can damage a system completely ... In this situation the wiring in the leading edge of the wing was cut. That lost multiple systems."

Michael Barr, who teaches aviation safety at the University of Southern California, said a commercial plane cannot be designed to withstand a spray of shrapnel, which can inflict damage anywhere. The proper focus, he said, should be on determining what caused the engine to fail and fixing that problem.

The federal secretary of the Australian Licensed Aircraft Engineers Association, Steve Purvanis, said the incident could have resulted in a fatal disaster.

"With fuel gushing out of the fuel tank there and some very hot components, certainly one that was hot enough to explode an engine, they were very lucky that fuel inside the wing didn't ignite ... The passengers and crew on board were probably unaware of how serious the situation was. I would say from the pictures that I've seen that they're very lucky to be alive today."

Flying is safe - but it will never be 100% safe

Businessman and aviator Dick Smith told The Kathryn Report said that aircraft are ''uncannily reliable'' but the public has come to expect the impossible.

''It is almost like people believe that flying in the air is perfectly safe. Even the most disciplined person can make an error - it is the same with design. People have to realise that nothing in life is without risk,'' he says.

Qantas had grounded its fleet of six A380s. It's now said to be seeking compensation from Rolls-Royce. On 23 November 2010 Qantas announced that it was gradually resuming some A380 flights.

What Qantas is telling passengers of its A380s [updated 23 Nov]

"We plan to operate our next A380 passenger service as QF31 Sydney-Singapore-London on Saturday 27 November.

"Qantas is now satisfied that it can begin reintroducing A380s to its international network progressively. The first aircraft scheduled to return to service on Saturday, 27 November. In the meantime, Qantas will continue to utilise its extensive fleet of aircraft to operate its domestic and international schedule.

"The A380 will operate between Australia and the UK for its initial services. As more A380s become serviceable, Qantas will assess when and how best to deploy them, consistent with its conservative operational approach over the past weeks.

"Since Qantas QF32 suffered an engine failure and returned safely to Singapore Changi Airport we have been working closely with Airbus, our customers and the authorities.

"In situations like these Rolls-Royce has well established processes to collect and understand information relating to the event and to determine suitable actions.

"As always the safe operation of our products is our number one priority. The Group feels that it is prudent to recommend that a number of precautionary engine checks are performed to ensure continuous safe operation of the fleet. This process is now underway and coordinated with Airbus."

- The aft gallery in the fuel system failed, preventing some fuel transfer functions

- Problem jettisoning fuel

- Hole in the upper wing surface

- Part failure of leading edge slats

- Part failure of speed brakes/ground spoilers

- Total loss of all hydraulic fluid in one of the jet's two
systems

- Manual extension of landing gear

- Loss of one generator and associated systems

- Loss of brake anti-skid system

- No.1 engine could not be shut down in the usual way after
landing because of major damage to systems

- No.1 engine could not be shut down using the fire switch,
which meant fire extinguishers would not work on that engine

- ECAM (electronic
centralised aircraft monitor) warnings about fuel imbalance
(because of fuel leaks on left side) could not be fixed with cross-feeding

- Fuel was trapped in the trim tank (in the tail) creating an imbalance

- Left wing forward spar penetrated by
debris

Update [23 November 2010]

The Financial Times today suggests that Rolls-Royce is about to impose new guidelines on users of its Trent 900 engines stipulating that they cannot be operated at above 70,000 pounds of thrust.

This could hit Qantas’s A380 services from Sydney and Melbourne to Los Angeles, as 72,000 pounds of thrust is needed for the Pacific route. Qantas said a voluntary suspension on the Pacific route remains “until further operational experience is gained or possible additional changes are made to engines”.

Qantas is quoted by the FT as saying: “Pilots still have access to maximum certified thrust [of 72,000 pounds] if they require it during flight. It is not a manufacturer’s directive."

The airline said its A380 engines remain subject to a European Aviation Safety Agency airworthiness directive issued on November 11. The directive mandates that all the Trent 900 engines undergo certain inspections every 20 flying cycles.